AN1659: Analytic 1659
On Android, the user can review which applications can use premium SMS features in the "Special access" page within application settings. Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.
Analyst context for executives and security teams
This analytic is about a mobile control point on Android: identifying apps that can use premium SMS features or request the SEND_SMS permission. For leaders, the business value is in reducing avoidable mobile risk from apps that can generate SMS activity, including potentially billable premium SMS use, and in proving that mobile app vetting and device review processes are not purely policy-based but evidence-driven.
Executive priority
Prioritize this where Android devices are part of workforce mobility, regulated operations, or bring-your-own-device access to business systems. The key executive question is whether the organization can identify Android apps requesting sensitive SMS capability before or after deployment, and whether exceptions are justified. This supports mobile security governance, compliance evidence for app review, and incident triage when unusual SMS-related activity or user billing complaints occur.
Technical view
For SOC, mobile security, and IR teams, validate whether Android app inventory and vetting workflows capture requests for the SEND_SMS permission and whether device-side review of premium SMS access is feasible through the Android Special access settings path. Because ATT&CK provides no separate detection logic or relationship context for this analytic, teams should treat it as a control validation and telemetry requirement rather than a complete detection rule.
Likely telemetry
- Android application permission inventory, especially SEND_SMS
- Mobile application vetting results for submitted or installed apps
- Android device application settings or special access review evidence for premium SMS capability
- Enterprise mobility management or mobile device management app inventory where available
- User or helpdesk reports related to unexpected SMS or premium SMS behavior
Detection direction
- Confirm that app vetting flags applications requesting SEND_SMS, since the official object notes this permission should be infrequently used.
- Review whether premium SMS access can be checked on Android devices through the Special access page in application settings.
- Tune review workflows to distinguish expected SMS-capable applications from uncommon or unjustified requests for SEND_SMS.
- Document blind spots where unmanaged Android devices, incomplete app inventory, or lack of mobile app vetting prevent reliable visibility.
- Do not assume SOC alerting exists from ATT&CK alone; the supplied object has no official detection logic and no relationship context.
Mitigation priorities
- Maintain an Android app vetting process that reviews sensitive permissions before approval or deployment.
- Require business justification for applications that request SEND_SMS or premium SMS capability.
- Use mobile device or app management processes to maintain current application inventory on Android devices where applicable.
- Provide user or support guidance for reviewing premium SMS access in Android application settings when investigating concerns.
- Retain review evidence for audit, incident response, and mobile risk governance.
Analyst notes and limits
This is a mobile ATT&CK detection analytic for Android, external ID AN1659, tied to detection strategy DET0608. The supplied content focuses on user review of premium SMS access and app vetting for SEND_SMS permission. No tactics, aliases, labels, official detection text, or relationships were supplied, so the take emphasizes defensive validation and governance rather than threat attribution or behavior chaining.
Coverage depends on local Android device management, app inventory quality, app vetting maturity, and whether devices are managed or user-owned. The supplied ATT&CK fields do not identify adversaries, campaigns, impacts, active exploitation, or a complete detection query.
Analytic 1659
On Android, the user can review which applications can use premium SMS features in the "Special access" page within application settings. Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 64aa5fdc91a9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1659Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.